[keycloak-user] Keycloak 3.4.x client-url and SSO questions

PEETERS.THOMAS (ICT) THOMAS.PEETERS at Hvw-Capac.fgov.be
Tue Jun 26 05:53:56 EDT 2018 

One of the issues was rather easily resolved.  I forgot about being able to implicitly inject an authenticationSuccessHandler in the Spring security application context.  The one from Spring Security will do just fine with property "alwaysUseDefaultTargetUrl" set to true.

The most pressing issue for us now is being able to logout all SSO applications with one logout.  So a logout in SSO application_A should cause the other SSO applications to prompt to the Keycloak login url upon the next request.  Right now we have to wait for the browser to expire its session naturally for that to happen.
This appears to be harder..  Unless I'm missing something again.

T

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens PEETERS.THOMAS (ICT)
Verzonden: vrijdag 22 juni 2018 13:13
Aan: keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Keycloak 3.4.x client-url and SSO questions

Hey all,

While implementing a Keycloak based secure application set (3 internal web applications) with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate answer to.

Our environment and implementations:
The security layer is implemented on the front-end only (for now).

JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10, Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used).

What we’ve got working:
2 applications with SSL and SSO.  Both redirect to the Keycloak login page.  When we log in to app1 we’re also logged in in app2, so that’s good.

What we want but can’t seem to achieve:


·         Log out of app1 --> refresh of app2 should redirect to the Keycloak login page.

At this point it seems that the user credentials remain active as long as the browser session remains active.



·         After successful login from the Keycloak login page always redirect to the application welcome page (index.xhtml for instance).

Use case:  A user is working in one of our secured applications, has its browser session ended and clicks on some kind of link.  The application correctly redirects this user to the Keycloak login page.  The user correctly logs in and gets taken back to where he/she was.  However, when this is an AJAX kind-of request the user sees plain XML when taken back the application.  To avoid this I would like to always redirect to the welcome page of the application when the user logs in through the Keycloak login page.  I can’t seem to find a way to do this.



·         Logout doesn’t always work well.  Sometimes the Spring AntPathRequestMatcher doesn’t correctly match our logout pattern (/sso/logout**).  Therefore we’ve provided an alternative that we’ve found in the documentation in the form of:

“https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL>
      However  this doesn’t always work either.  There are situations, depending on invalid rights for certain application parts where this never logs out a user.


We’ve got a Spring-security application context in XML that is roughly the same as the one found in the documentation.  And a keycloak.json file that looks like this:


{
  "realm": "<realmName>",
  "auth-server-url": "<keycloak-url-with-port>/auth",
  "ssl-required": "all",
  "truststore": "<working-truststore>",
  "truststore-password":"<a-working-pwd>",
  "resource": "<App1-name>",
  "public-client": true,
  "always-refresh-token": true
}

Due to the large number of Keycloak releases and accompanied configuration changes it’s really hard for us to find relevant information.  When we first started by creating a POC we used the most recent Keycloak version (3.4.1-Final).  A lot of information that is not old appears to be outdated.  Just an observation.


Thanks for reading.


Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer

More information about the keycloak-user mailing list